MSFT Azure Function App not sending emails via Graph API (works on desktop)

asked 2022-06-09T06:04:52.773+00:00
Timothy Marsh - MS Cloud 1 Reputation point

Hi there.

I'm trying to send emails from an Azure Function App via MS Graph API using client credentials workflow and Application permissions. (SMTP relay/Sendgrid etc is not an option for our organisation).

Basically the app detects a file landing in a storage account, triggers the app and fires the email.

The app works on my desktop in VS Code as expected. I am on a corporate network behind a proxy.

However, on testing in the FA in Azure, although we get a successful invocation, no email is sent - our EO mailbox logs show nothing received.

Here's the log from the FA Monitor.

  2022-06-09T02:40:44.016 [Information] Executing 'Functions.email-via-graph-api' (Reason='New blob detected: failed/2022-05-18_15h41m00s_0266201111_0266207713_2.pdf', Id=c11e670f-423a-4427-af8d-b11d61192bce)  
2022-06-09T02:40:44.016 [Information] Trigger Details: MessageId: 235a0fba-0210-46b9-a82b-50a4a858a490, DequeueCount: 1, InsertionTime: 2022-06-09T02:40:43.000+00:00, BlobCreated: 2022-06-07T03:15:04.000+00:00, BlobLastModified: 2022-06-09T02:40:35.000+00:00  
2022-06-09T02:40:44.046 [Information] BEGIN: Sending email for failed referral via Graph API.  
2022-06-09T02:40:44.046 [Information] Blob Name: 2022-05-18_15h41m00s_0266201111_0266207713_2.pdf  
2022-06-09T02:40:44.046 [Information] Blob URI: https://STORAGEACCOUNTNAME.blob.core.windows.net/failed/2022-05-18_15h41m00s_0266201111_0266207713_2.pdf  
2022-06-09T02:40:44.047 [Information] Executed 'Functions.email-via-graph-api' (Succeeded, Id=c11e670f-423a-4427-af8d-b11d61192bce, Duration=44ms)  

If I look at Application Insights I can see the token call and Graph call.

Here's the setup:

  • We have Application Permissions for mail.send against the AD App.
  • We have 2 email accounts (a service/automation account and Exchange Online generic account) in a mail group allowed to access the AD App->Graph API FA. The Service Account is permitted to send as/on behalf of the EO account.
  • Our FA is attached to a VNET, route-all set true
  • All internal-destined traffic routes internally (and these are all internal alert emails to our own domain ie sending and receiving all on same domain)
  • Our public/outbound traffic is VNET NAT'd to a /30 public prefix.
  • Our NSG and proxy allow out SMTP (any to any) on ports 25 and 587 plus the IPV4 subnets from item 56 here
  • The FA is on a private endpoint as are storage accounts.
  • The call via axios is below. Again, this works on the desktop.

Axios call. Backticks changed to " in relevant places.

try {  
console.log(JSON.stringify(email, null, 2));  
const response = await axios({  
  url: "${GRAPH_ENDPOINT}/v1.0/users/${FROM_ADDRESS}/sendMail",  
  method: "POST",  
  headers: {  
  "Authorization": "Bearer ${access_token}",  
  "Content-Type": "application/json",  
  },  
  data: JSON.stringify(email),  
});  

Any guidance would be very much appreciated.

Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
2,577 questions
Microsoft Graph Permissions API
{count} votes